From: David Carlier <devnexen@gmail.com>
Date: Wed, 23 May 2018 04:38:25 +0000 (+0000)
Subject: [analyzer] CStringChecker fix for strlcpy when no bytes are copied to the dest buffer
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=bb92f34ba292c453ccc103f4ad05a1f8eeea810b;p=clang

[analyzer] CStringChecker fix for strlcpy when no bytes are copied to the dest buffer

Again, strlc* does not return a pointer so the zero size case doest not fit.

Reviewers: NoQ, george.karpenkov

Reviewed by: NoQ

Differential Revision: https://reviews.llvm.org/D47007


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@333060 91177308-0d34-0410-b5e6-96231b3b80d8
---

diff --git a/lib/StaticAnalyzer/Checkers/CStringChecker.cpp b/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
index 39db586189..a51bc062e1 100644
--- a/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
+++ b/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
@@ -1652,7 +1652,11 @@ void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE,
 
         // If the size is known to be zero, we're done.
         if (StateZeroSize && !StateNonZeroSize) {
-          StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal);
+          if (returnPtr) {
+            StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal);
+          } else {
+            StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, *lenValNL);
+          }
           C.addTransition(StateZeroSize);
           return;
         }
diff --git a/test/Analysis/bsd-string.c b/test/Analysis/bsd-string.c
index 4c57c86f17..14e1b00fc0 100644
--- a/test/Analysis/bsd-string.c
+++ b/test/Analysis/bsd-string.c
@@ -38,3 +38,8 @@ void f6() {
   size_t len = strlcat(buf, "defg", 4);
   clang_analyzer_eval(len == 7); // expected-warning{{TRUE}}
 }
+
+int f7() {
+  char buf[8];
+  return strlcpy(buf, "1234567", 0); // no-crash
+}